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We present a semantics based framework for analysing the quantitative behaviour of programs 
with regard to resource usage. We start from an operational semantics equipped with costs. 
The dioid structure of the set of costs allows for defining the quantitative semantics as a linear 
operator. We then present an abstraction technique inspired from abstract interpretation in 
order to effectively compute global cost information from the program. Abstraction has to 
take two distinct notions of order into account: the order on costs and the order on states. 
We show that our abstraction technique provides a correct approximation of the concrete 
cost computations. 

1 Introduction 

Static analyses are used to ensure qualitative properties on programs, such as non-reachability 
of a given set of forbidden states. The abstract interpretation theory encompasses many existing 
static analyses and allows for systematically designing a variety of nevi^ ones by defining abstract 
semantic domains and transfer functions adapted to the problem under consideration. The main 
idea of abstract interpretation is to replace concrete semantic computations (often untractable or 
even uncomputable) by abstract ones which are guaranteed to terminate, hopefully in reasonable 
time. 

In this paper, we are interested in analysing quantitative properties of programs pertaining 
to the use of resources (time, memory, . . . ). The computation of quantitative properties of 
program behaviours suffers from the same drawbacks as their qualitative counterparts, and thus 
needs adequate abstraction methods. The field of quantitative software analysis has mainly con- 
centrated on the analysis of probabilistic properties, and the various corresponding models have 
developed their own abstraction techniques. Modelling non functional, but yet non probabilistic 
behaviour of programs has received less attention. 

Our starting point is an operational model of program execution where the cost of each com- 
putational step is made explicit. We take as starting point a standard small-step operational 
semantics expressed as a transition relation between states extended with costs associated to 
each transition. The set of costs is given a dioid (or idempotent semiring) structure with two 
operators: a "product" operator that combines the costs along an execution path, and a "sum" 
operator that combines costs coming from different paths. This allows for recasting the oper- 
ational semantics into a framework of linear operators over a vectorial structure, namely the 
moduloid of vectors of costs indexed over the set of states. 

Seeing the semantics of a program as a linear operator allows to benefit from the nice algebraic 
properties of these operators. In particular, we are able to easily define two notions of cost for a 
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whole program execution: a global cost from input to final states, meaningful only if the program 
terminates, and a more interesting notion of long-run cost, that corresponds to the maximum 
average of costs accumulated along a cycle of the program semantics and provides an over- 
approximation of the average cost per transition of long traces. This latter notion is particularly 
interesting for the analysis of programs with cyclic behaviour (such as reactive systems) in which 
the asymptotic average cost along cycles, rather than the global cost of the entire execution, is 
of interest. 

Usual abstract interpretations are defined using Galois connections on partially ordered struc- 
tures, generally assuming the existence of a complete lattice structure for concrete and abstract 
semantic domains. In our model, we already have a notion of partial order, that is the order on 
costs induced by the summation operator of the dioid. This order is easily extended pointwise 
to vectors indexed over states. If we do not assume any additional lattice order on states, we 
are able to define a simple notion of partition based abstraction. This abstraction technique has 
been developed in jlStIT], and is suitable for simple analyses that consist in "forgetting" informa- 
tion when going from concrete to abstract states. If we want to use more elaborate abstractions, 
and in particular reuse the classical abstractions of standard abstract interpretation theory, we 
have to find an abstraction technique that copes with two distinct notions of order: the dioid 
order on costs, and the lattice order on states. The present paper addresses more specifically 
that question. 

This paper is structured as follows. Section [2] defines the quantitative operational semantics 
of a program as a linear operator, and gives the precise definition of cost dioid. Section [3] defines 
the notions of global and long-run cost that can be extracted from the operational semantics. 
Section H] gives the general definition of Galois connection that is used in abstract interpretation 
theory, and shows its relation with the notion of residuation that is used in our dioid context. 
Section [5] recalls the main results of partition based abstractions, and shows the limitations of 
this technique. Section [6] shows how abstractions can de designed that respect both the dioid 
order of costs and the lattice structure of states. Section [7] gives related work and concluding 
remarks. 

2 Linear operator semantics 

Transitions of the semantics are supplied with quantities (or costs) depending on the accessed 
states. We consider as semantic model a countable set of states £, and define a program as a 
transition system P = (£,—)•■,/, F), where / is a set of initial states and F a set of final states, 
without referring to any particular syntax. The quantitative operational semantics of P is defined 
by the transition relation — t-' C £ x £ — )• Q where a transition a — t-^ a' denotes a transition from 
state a to state a' at cost q. The cost q is function of a and a', and the structure of the set Q 
of costs will be made precise in the next subsection. 
The trace semantics of P is defined as follows. 

iPjtr = {00^'?°... On-l aj ao G /, Oi ^* Oi+i} 

In the remainder of this section, we explain in more details the structure we chose for sets 
of costs, namely cost dioids, before showing how the quantitative operational semantics can be 
seen as a linear operator over vectorial structures constructed from cost dioids. 
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2.1 Cost dioid 

A transition a -^'^ o' of the quantitative operational semantics states that a direct (one-step) 
transition from a to o' costs q. These unitary transitions can be combined into big-step tran- 
sitions, using two operators: ® for accumulating costs and ® to get a "maximum" of different 
costs. Costs can be defined in more general ways (for instance, one could use a more general 
algebra of costs as in [T]) but the present definition of costs dioids covers a number of different 
costs and has interesting computational properties, since it can be used within a linear operator 
semantic framework, as presented in the next subsection. 

The operator ® on Q defines the global cost of a sequence of transitions, a — >-^' . . . — t-"^" o' 
simply as q = q\® ...®qn. This is written a 4> a' where p is & sequence of states that has a 
(resp. o') as first (resp. last) state. 

There may be several ways to reach a state o' from a state (T, due to the presence of loops and 
non-determinism in the semantics. Let the set of possible paths be I^c,& = {p \ <7 The 
global cost between a and o' will be defined, using the operator © on Q, to be <7 = 0pen^^, qp- 
Formally, the two operators have to fulfill the conditions of a (commutative) dioid. 

Definition 1 A commutative dioid is a structure {Q-,®,®) such that 

1. Operator is associative, commutative and has a neutral element e. Quantity e represents 
a transition that costs nothing. 

2. Operator © is associative, commutative and has _L as neutral element. Quantity _L repre- 
sents the impossibility of a transition. 

3. © is distributive over ©, and _L is absorbing element for © (Vx.x© _L = _L ©x = _L). 

4- The preorder defined by ® (a<b4^3c: a©c = b) is an order relation (i.e. it satisfies a<b 
and b < a ^ a = b). 

A classical result of dioid theory [12j . states that © and © preserve the order <, i.e., for all 
a,b,c G Q with a<b, a®c<b®c and a © c < ^ © c. 

By nature, a dioid cannot be a ring, since there is an inherent contradiction between the fact 
that © induces an order relation and the fact that every element has an inverse for ©. 

If several paths go from some state a to a state o' at the same cost q, we will require that 
the global cost is also q, i.e. we work with idempotent dioids: q®q = q for all q in Q. Note that 
in an idempotent dioid a <b a®b = b. 

The fact that sets of states may be infinite, together with the use of residuation theory in 
Section U] impose our structure to contain the addition of any set of costs 0. 

Definition 2 An idempotent dioid is complete if it is closed with respect to infinite sums, and 
the distributivity law holds also for an infinite number of summands: for any set X (1 Q, the 
infinite sum ®xex^ exists in the dioid and for all a £ Q, a© i®xex^) — ®xexi'^'^^)- 

A complete dioid is naturally equipped with a top element, that we shall write T, which is 
the sum of all its elements. We recall that a complete dioid is always a complete lattice, thus 
equipped with a meet operator A [3] . The notion of long-run cost we will define in Section [3] 
relies on the computation of an average cost along the transitions of a cycle. This requires the 
existence of a nth root function. 



^This way, we define a complete sup-semilattice over Q. 
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Table 1: Some examples of cost dioids 



Definition 3 A dioid {Q,(B,'Si) is equipped with a nth root function if for all q in Q, equation 
X'^ = q has a unique solution in Q, denoted by 

A sequence containing n transitions, each costing, on average, will thus cost q. Some 
examples of nth root can be found in Table [TJ To be able to easily deal with the nth root, 
we make the assumption that the nth power is ® -lower- semicontinuous (©-Isc for short): for 
all X C g, (0;tgx-^)" = ®xex^"- This assumption and its consequences will be very useful for 
the theorems relating long-run cost and trace semantics in Section [31 Note that this equality 
remains true for finite X (in that case the nth power is said a (B-morphism). 

The following definition summarizes the required conditions for our structure. 

Definition 4 (Cost dioid) A cost dioid is a complete and idempotent commutative dioid, 
equipped with an nth root operation, where the nth power is (B-lsc. 

Although the definition of cost dioids may seem rather restrictive, we have shown in ^ that 
many classes of dioids found in the literature are indeed cost dioids. The table displayed on 
Table [T] gives a non exhaustive example list of cost dioids. The taxonomy is borrowed from [3]: 
a dioid is selective^ if for all a,b, a®b is either a or b, double-idempotent if both © and © are 
idempotent, and cancellative if for all a, b,c, a0b = a0c and a / _L implies b = c. 

The most common examples of cost dioids are (R,niax,-|-) and (R,niin, +), where M stands 
for Mu{— oo,-|-oo}. The induced orders are, respectively, the orders < and > over real numbers, 
extended to M in the usual way. These dioids are at the basis of discrete event systems theory, 
from which we borrow the notion of long-run cost in Section [3l 



2.2 Semantics as linear operators over dioids 

Thanks to the multiplication and addition operators of the cost dioid, the set of one-step tran- 
sitions can be equivalently represented by a transition matrix M G ^zxi,{Q) with 



q if a — >^ a' 
_L otherwise 



Here, ^zxi,{Q) stands for the set of matrices with rows and columns indexed over £, and values 
in Q. In the following, a program P = (£, — 7' ,/,F) will be equivalently denoted as P = (^,M,I^F) 
where M is the matrix associated to — )•■. 



^The order induced by a selective dioid is total. 
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The set ^zxi,{Q) is naturally equipped with two operators © and (8) in the classical way: 
operator © is extended pointwise, and operator (8) corresponds to the matrix product (note that 
the iterate M" embed the costs for paths of length n). Recall that the dioid is complete, ensuring 
existence of the sum for each coefficient of the product matrix. The resulting structure is also an 
idempotent and complete dioid. The order induced by © corresponds to the pointwise extension 
of the order over Q: M <M' \/i,j.Mij < M[ j. A transition matrix may also be seen as a linear 
operator on the moduloid which is the analogue of a vector space using a dioid instead of 

a field for external multiplication. 

If E is an idempotent dioid, then for any moduloid V over E the addition operator © defined 
pointwise is also idempotent, and thus defines a canonical order on V. As for vector spaces, if n 
is a given integer, set of vectors with n components in £, is a moduloid. More generally, a 
vector u G E{L), with |r| = n can be seen as a function 5„ : — >• E. Since Q is complete, we can 
generalize to the infinite countable case: 5„ becomes a mapping from N to The matrix- vector 
product is defined by: (Mm), = 0^^! ^mI^j) © 5„(7). In this paper, we will keep the matrix 
notation for the sake of simplicity, even for an infinite set of indices. 

3 Global and long-run cost 
3.1 Global cost 

Let M be the matrix representing the quantitative transitions of a program P. Recall that 
summarizes the transition costs of all paths of length k. The global cost is then defined by 
computing the successive iterates of the transition cost matrix until a fixpoint is reached. The 
transitive closure thus contains all the transitions costs from any state to any state. 

oo 

M+ = 0M' 

(=1 

The global cost of a program is obtained by extracting the input-output cost from this transitive 
closure. 

Definition 5 The global cost of a program P = (Z, —)•■,/, F) is defined as 

^c(P) = 0{M+|/G/,/GF} 

Recall that, since we work in a complete semiring, this transitive closure is always defined. 
The global cost is related to the standard trace semantics by the following result |18j . 

Theorem 1 

/-I 

Sc{P) = 0{(8) qj I ai . . . ^^f-^ Of G {Plr, Of G F] (1) 

;=i 

Unfortunately, if the only information we get is that the global cost is equal to the top 
element of the dioid, this definition is of little interest. This is the case in particular when the 
semantics contains cycles of non-null cumulative cost, which frequently arises when matrix M 
is an abstraction of the semantics, as developed in Section [5l The notion of global cost thus 
correctly deals with terminating programs over a finite state space, but is inappropriate for 
reactive systems. For this reason, we rather use the notion of long-run cost. 
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3.2 Long-run cost 

Intuitively, the long-run cost of a program represents a maximal average cost over cycles of 

transitions. The average cost of a finite path is defined as the arithmetical mean (w.r.t. the (8) 

operator) of the costs labelling its transitions. In other words, it is the nth root of the global 

cost of the path, where n is its length. We write q{p) = ^yq{p) for the average cost of path p, 

where q{p) is the global cost of p, and \p\ its length. The "maximum" average cost of all cycles 

in the graph will be the quantity we are interested in: this quantity will be called long-run cost. 

The following example illustrates these notions on a simple graph. 

2 

Average cost of path abc = (8 + 3)/2 = 5.5 
Cycle bcdb average cost = (3 + 4 + 5)/3 = 4 
Cycle bccdb average cost = 14/4 = 3.5 
4 Cycle cc average cost =2/1 =2 

Long-run cost = 4 

■ i 1-1 I 

The diagonal of matrix contains the costs of all cycles of length k. If we add up all the 
elements on this diagonal, we get the trace of the matrix. This observation gives rise to the 
following definition. 

Definition 6 Let P = (LjMJjF) a program. Let R be M restricted to the set of states, E/, 
reachable from I. The long-run cost of program P is defined as 

p (P) = ^/J^ where trR = 0/?,- 

k=\ i=\ 

Note that this definition is valid even for an infinite number of states, since we work with 
complete dioids. As an example, if we work in the dioid (M,max,+), p{P) may represent the 
maximal average of time spent per instruction, where the average is computed on any cycle by 
dividing the total time spent in the cycle by the number of instructions in this cycle. In the 
case of a finite set of states, the long-run cost is computable, and we note in passing that its 
definition coincides with the definition of the maximum of eigenvalues of the matrix, in the case 
of an irreducible matrix in an idempotent semiring [3]. 

The following proposition [6j establishes in a more formal manner the link between this 
definition of long-run cost and the cycles of the semantics. 

Proposition 1 Let T be the set of cycles in — )•■. Then p{P) = 0fer^(^)- 

As we aim at giving a characterisation of the asymptotic behaviour of a program, we could 
have defined the long-run cost as the limit of the average costs of all traces, instead of referring 
to cycles. The drawback of this approach would be that this definition is not suitable for 
computation, even if the set of states is finite. It is shown however in [6j that those two notions 
coincide in a restricted class of cost dioids and when the set of states is finite. 



4 Galois connections and residuation 

The transition matrix representing a program is in general of infinite dimension, so neither 
transitive closure nor traces can be computed in finite time. Even if we deal with finitely machine- 
represented states, the state space is in general too large for ensuring tractable computations. 
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To overcome this problem, we define an abstract matrix that can be used to approximate the 
computations of the original matrix. To prove the correctness of this approximation, we re-state 
the classical abstract interpretation theory ^ in terms of linear operators over moduloids. We 
first briefly recall a definition of Galois connection that is used in abstract interpretation. 

Definition 7 Let (C, <c) and (D, <o) be two partially ordered sets. Two mappings a : C i— >■ 
D (called abstraction function) and y . D ^ C (called concretization function) form a Galois 
connection {C,a,Y,D) iff: 

• Vc € C,\/d £ D,c <c y{d) a{c) <d d, or equivalently 

• (X and 7 are monotonic and a oy < Ido and Idc < Y°oc 

The classical use of Galois connections considers complete lattices, but their general definition 
is given on partially ordered sets. A question that naturally arises is that of the existence of an 
analogous notion relative to vectorial structures. In the case of vector spaces over the field of 
reals (more precisely, reals between and 1 denoting probabilities), Di Pierro and Wiklicky 
provide an elegant solution by using the notion of Moore-Penrose pseudo-inverse for bounded 
linear operators over Hilbert spaces. In our setting, we do not have a field structure, but 
still benefit from a partial order relation between vectors, namely the order induced by the © 
operators over vectors in a moduloid. From a general point of view, the (X and 7 mappings from 
a Galois connection form a pair of residuated maps [Mj . Applied to our dioid setting, residuation 
theory can be restated as follows [3]. 

Proposition 2 Let E and F be two sets equipped with a complete partial order, f a monotone 
mapping from E to F . We call subsolution of equation f{x) = b an element y such that f{y) < b. 
The following properties are equivalent. 

1. For all b £ F , there exists a greatest subsolution to the equation f{x) = b. 

2. f{-i-E) = J-F, and f is (B-lsc. 

3. There exists a monotone mapping p : F ^ E which is uppe^ semi- continuous such that 
fof < Idp and He <fof- 

Consequently, p is unique. When f satisfies these properties, it is said to be residuated, and p 
is called its residual. 

In our framework, the complete orders are the moduloid orders defined pointwise from the cost 
dioid order. If no additional order on the set of states is assumed, there is a straightforward 
way to define residuable pairs of abstraction and concretization functions on moduloids. This 
method of abstraction has been developed in [18t i7j. and we recall it in the next section to show 
its limitations. If we start from an already existing abstraction function using a lattice structure 
on states, we have to cope with two distincts orders: the lattice order on states, and the dioid 
order on costs. We thus have to define residuated pairs that take both orders into account. This 
will be developed in Section [6l 



Upper semi-continuity is the analog of lower semi-continuity for the A operator. 
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5 Partition-based abstraction 

We will first consider the simple case where the abstraction is a mapping from concrete to 
abstract states. This comes down to partitioning the set of concrete states where equivalence 
classes are defined by abstract states. In this section, £ will denote a set of concrete states and 
a set of abstract states, with no assumption on the structure of these sets. In particular, they 
are not supposed to be ordered. An abstraction function a is thus a mapping from Z to In 
contrast, we consider a cost dioid Q with its partial order relation. 

5.1 Linear operator for abstraction 

If we now want to see the abstraction function as a linear abstraction operator between the 
moduloids constructed on Q with indexes in £ and l}, respectively, we define the linear lift [7] 
of a as G ^i.ixi.{Q) by setting 

oKa I _L otherwise 

In order to alleviate notations, < will stand for the pointwise order defined on ^i;xz(2) or 
■^LixZiiQ)- The pointwise orders defined on moduloids constructed over a complete dioid are 
also complete. Moreover, as the abstraction function is linear, it trivially fulfills requirements [2] 
of Proposition m and we get the following result [18] by taking 7^ = (o;^)^. 

Theorem 2 Let £ and be the domains of concrete and abstract states, a a mapping from 
£ to ij^, and a^' € ^Z'xziQ) linear mapping obtained by lifting a. There exists a unique 
monotonic 7^ such that 

o 7^ < Id^i y.^} and Idzxi. <Y'oa' 

where Idzxi. (resp. /d^ixz*/' denotes the identity matrix in ^^-LxiiQ) (resp. -y^zixZiiQ))- 

The very simple form of abstraction we deal with up to now gives rise to a very simple 
expression for 7^. Indeed, the unique 7^ matching the requirements of Theorem[2]is the transpose 
matrix of a^. 

5.2 Induced abstract semantics 

Given a program P over £, we want to define an abstract transition system over the abstract 
domain £" that is "compatible" with P, both from the point of view of its traces and from the 
costs it leads to compute. The following definition of a correct abstraction ensures that both 
global and long-run costs of P are correctly over-approximated during the abstraction process. 

Definition 8 (Correct abstraction) Let P = (^,M,I,F) be a transition system where M € 
■^iLxziQ) and = (£'-,M^,/'',F'*) be a transition system over the abstract domain, with S 
-^LixZiiQ)- cc be a mapping from £ to LK The triple {P,P'^,a) is a correct abstraction from 
£ to £* if the three conditions (1) oM <M^o , (2) {a{o) | a G /} C /» and (3) {a(a) | a E 
F} C F» hold. 



^Recall that e denotes the neutral element for ®. 
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The classical framework of abstract interpretation gives a way to define a best correct ab- 
straction for a given concrete semantic operator. In the same way, given an abstraction a and a 
concrete semantics linear operator, we can define an abstract semantics operator that is correct 
by construction, as expressed by the following proposition [?]■ 

Proposition 3 Let a he an abstraction from £ to , and P = (L,M^I,F) a transition system 
over the concrete domain. We set P^ = 1^\m\i\F^) with 

= a^ oMoy^ and = {a{o) \ o e I] and = {a{o) \ o e F] 

Then {P,P\a) is a correct abstraction from £ to l) . Moreover, given P and oc, provides the 
best possible abstraction in the sense that if P' = {'L'^,M' ,1' ,F') is another correct abstraction, 
then < M' and C /' and F^ <ZF' . 

5.3 Correctness of cost computations 

The question that naturally arises is to know how global and long-run costs are transformed by 
abstraction. Theorems[3]and[3]below state that a correct abstraction gives an over-approximation 
of the concrete global cost [6j and concrete long-run cost [7|, respectively. 

Theorem 3 //(P,P*,a) is a correct abstraction, then gc{P) <q gc{P^). 

Theorem 4 // {P,P^,a) is a correct abstraction, then p{P) <qP{P^)- 

The proofs of these theorems rely on the fact that the correctness is preserved when the 
concrete and abstract matrices are iterated simultaneously [6]. 

5.4 Limitations 

Partition based abstraction is well adapted to simple cases where abstraction consists in "for- 
getting" information when going from the concrete state to the abstract one. Let us take an 
example to illustrate this fact. The concrete operational semantics of an object oriented byte- 
code language considers states as tuples (/j, {m,pc,l,s) sf), where h is the heap of objects, and 
(m,pc,l,s) sf is a call stack consisting oi frames of the form {m,pc,l,s) where each frame con- 
tains a method name m and a program point pc within m, a set of local variables /, and a 
local operand stack s (see [17] for details on such an example). Depending on the property the 
analysis wants to establish, a first abstraction could define an abstract state as a simpler tuple 
(h,m,pc,l,s), making the analysis context-insensitive. If we want to go further, we might want to 
abstract the heap h, which is usually a mapping from locations to objects, by an abstract heap 
mapping any location to the class of the corresponding object in the concrete heap. Both of 
these abstractions are easily expressed by abstraction functions partitioning the set of concrete 
states, and thus fit well the framework described above. 

In contrast, if we now want to abstract the values of local variables by intervals, as is 
common in static analysis, we face two problems. The first one is similar to a "state explosion" 
problem, and the second one is related to the translation of the lattice order of intervals into 
the moduloid structure over abstract states. Let us explain both concerns in more details. Let n 
be a natural number. We denote by Intn the set of intervals with even bounds over {—n, . . . ,n}. 
The interval abstraction function a [2] : ^{{—n, . . . ,n}) — )• Intn maps a set of natural numbers 
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to the interval [m — {m mod 2), M + (M mod 2)] where m = min^£{i and M = 

max^uji r}4- If we Uft OCj^^ii] into a linear map as above, we get a linear mapping from a 

moduloid of dimension 2^"+' to a moduloid of dimension "("+^^)+^ ^ xhe corresponding matrix is 
thus of size "("+^^)+^ x 2^"+^ One could argue that the subsets of {—n, . . . ,n} could canonically be 
represented by a moduloid of dimension 2n + \, each element contributing for one dimension, and 
thus reducing the matrix size. For instance, if we fix n = 2, {—2} is represented by (e, _L, _L, _L, _L)^, 
{2} by (_L, _L, _L, _L,e)^, {—2,2} by (e,_L,_L,_L,e)-^ etc. Let us now examine the abstract domain 
of even intervals. The set of even intervals over {—2, ... ,2} is lifted to a moduloid of dimension 
7. For instance, [—2] is represented as (_L,e,_L,_L,_L,_L,_L)^, and [2] as (_L,_L,±,e,_L,_L,_L)"^, 
if we order the intervals by increasing size and increasing lower bound. We thus should set 
a^^^|l((e,±,±,±,±r) = {±,e,±,±,±,±,±Y, and a^^||((±,±,±,±,^')^) = {±,±,±,e,±,±,±y . 

Then a [2]{{e,±,±,±,eY) = (_L, _L, _L, _L, _L, _L,e)^, that is distinct from a pi ((e, -L, -L, -L, -L)^) © 
oc^^^p] ((-L, -L, -L, -L,e)^) which equals (_L,e, _L, _L,e, _L, _L)^. In conclusion, we are not able to define 
a^^^p] as a linear operator as expected. The problem here comes from the fact that the structure 
of the abstract moduloid totally forgets about the lattice structure of intervals. Defining a 
residuable abstraction operator that respects the lattice structure of abstract states is the main 
contribution of this paper, and is developed in the next section. 



6 Lifting Abstract Interpretations 

In Section \5\ we have presented a way to lift any abstraction function into a linear 

mapping G ^nxEiQ)^ where domains £ and are not supposed to have a particular structure. 
In order to benefit from the already existing abstractions provided by the classical abstract 
interpretation theory, we show how to translate them into our model. As abstract interpretation 
relies on lattices and Galois connections, we will investigate in Section [6.11 how these structures 
compare and are transposed to moduloids and linear operators. Then, in Section 16.21 we will 
investigate a new notion of correctness for this construction. 

6.1 Abstraction operator 

So far, the way we lift an abstraction represents a state a of £ by a vector (_L, . . . , _L,e, _L, . . . , _L)^ 
where e appears in the a-place (recall £ is countable). The set of concrete states £ is thus 
represented using the moduloid £^ = ({_L,e}l^l ,©,(g)). Now, if we assume that £ is a lattice, this 
lifting unfortunately forgets about the ordered structure of £. This is regrettable because £t 
naturally has a lattice structure given by the © operator. Thus, a natural issue is to translate £ 
and £** into moduloids while preserving their respective lattice orders. This property of morphism 
between orders will be referred to as the lift-order property in the remainder of this section. 

6.1.1 Lifting a Galois connection into a linear mapping 

Abstract interpretation often considers Galois connections B < ^ > A where B is a powerselEI 
representing the concrete semantic domain, and A is a complete lattice representing the abstract 

^Powersets are naturally equipped with a particular structure of complete lattice called boolean lattice 0. 
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domain. In order to lift (X into a linear mapping, we will focus on how to lift-order these 
particular structures. The easy case naturally is the one of boolean lattices. 



Lift-ordering boolean lattices. A boolean lattice B is generated by its set of atoms £/{B), 
corresponding to the singletons in the case of a powerset. Indeed, for each b £ B, b = V{a G 
s/{B) \ a <b} [9]. Let us code atoms a as vectors in {_L,e}l-^(^'l as previously (we note 
a = a^). Then, coding the other elements will follow from the use of 0. 

b = ®{a \ a<b} 

We denote by B the complete moduloid constructed this way from B, where the © operator of 

B matches the U operator of B by construction. 

Now that we have expressed boolean lattices as moduloids, we are able to easily lift-order 

7 

the abstraction function of a Galois connection B\ < ^ > B2, where Bi and Bj are boolean lattices. 
By lift-ordering these lattices, we obtain two moduloids (Bi,©i,(g)i) and (B2,©2,©2)- Since U,- 
and ©/ coincide, and as a is a union morphism, its linear translation a is defined by its values 
on the basis vectors of Bi, i.e. the vectors coding atoms of B\. 

«({^i} Ui {b2}) = a{{b,}) U2 a{{b2}) 

__ X _ __ X __ 

cc{bi ©1 62) = cc{bi) ©2 a{b2) 



Lift-ordering complete lattices. In most of the cases, A is not a powerset but a more general 
complete lattice for which the vectorial translation is not so straightforward. The representation 
theorem of finite distributive lattices [9j asserts that any such lattice A is isomorphic to a lattice 
of sets. Thus, A can be seen as a sublattice of a given powerset, which we will denote by 
^(A). The previous coding applies to ^(A) and a fortiori to A. However, the set of vectors A 
constructed this way no more has a structure of complete moduloid, unlike ^(A). This method 
provides a solution to the "state explosion" problem presented in Section [5l Nevertheless, our 
second problem remains unsolved. Indeed, there is still no match between the © operator and 
U, the join operator of the lattice. For instance, [—2] U [2] = [—2,2] and [—2] © [2] = (e, _L,e)^ 
and [—2,2] = {e,e,e)^ . This makes it impossible to express a as a linear mapping, since for 
instance a({-2}©{2}) = {e,e,eY / a({-2}) ©a({2}) = (e,_L,e)^. We thus have to weaken our 
requirement: in the following, we choose to lift-order Galois connections into non linear, but still 
residuable, mappings. 



6.1.2 Lifting a Galois connection into a residuable mapping 



Since ^(A) is a complete boolean lattice, we will decompose a into a linear part from B to ^{A), 
and a projection from ^(A) into its sublattice A we are interested in, representing the vector 



encodings of elements of A. Figure 1(b) illustrates this decomposition. 

The linear part of a, denoted by CCi is defined as in the case of a connection between two 
boolean lattices: of is defined on the set of atoms of B by OCi{b) = a{b) where b is an atom of B, 



and then extended to B by linearity. As an example, Figure 1(c) shows the abstraction matrix 
for the abstraction by even intervals, for n = 2. Element { — 1} of the concrete domain is mapped 
to interval [—2,0] of the abstract domain. Thus, oT maps atom { — 1} to [—2,0] which is the sum 
of atoms [—2] and [0] . 



D. Cachera & A. Jobin 



75 









[-2,2] 




(a) Example of a set lattice (even interval lat- 
tice on the set {—2,..., 2}) and its associated 
powerset (which is isomorphic to the powerset 
^({1,2,3}),U) 



B- 



+ 



(b) Galois connection and its lift 




(c) Abstraction matrix mapping subsets of {—2, ... ,2} to even intervals 



Figure 1: Lifting of Galois connections 



This linear mapping is then composed with a projection 7i in order to yield a vector in A 
corresponding to an element of the (non boolean) lattice A. As we want to keep the lift-order 
property, for all x G I^{A), n{x) is defined as the smallest element z G A such that z > 4^. Note 
that 71 defined this way is an upper closure operator in ^(A). On our even interval abstraction 
example, ar({— 2,2}) = (e,_L,e)-^ is projected to the top element {e,e,e)^ of the abstract vector 
lattice. 

As oT is a linear mapping between two complete moduloids, by Proposition [2l Oi has a 
residual mapping Ji, i.e. CCioy^ < Id^^ and )f o a]" > Id-g. Passing from A to ^{A) is simply 
done by a canonical injection i. 

We finally prove the following property, that allows for defining a pseudo-invertible lift of 
our initial Galois connection (the proof is given in Appendix). 

Proposition 4 Mappings nocci and Jioi as defined above are such that n ooi is residuated 
andy{ol is its residual, and thus form a Galois connection between moduloids B and A seen as 
lattices. 

y 

By this construction, we are able to translate a Galois connection B < > A into a residuable 
mapping written as the composition of a linear mapping and an upper closure operator %. We 
now check that this new construction of abstraction operators preserves the over-approximation 
of cost computations. 

^The completeness property of A and the morphism between the orders on A and on its lifted version A ensure 
the existence of this element. 
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6.2 Correctness of cost computations 

The way of lifting abstraction functions in Section 15.11 produced linear mappings. On the other 
hand, the lift version of Section 16.11 gives only residuable mappings. Unfortunately, the cor- 
rectness of cost computations intimately depends on the matricial character of the abstraction 
function and seems difficult to establish for general residuable mappings. Nonetheless, we can 
establish the correctness of cost computations in a weaker way, using only the linear part OCi of 
the residuable abstraction TToOj"- We thus slightly change the definition of a correct abstraction 
into a notion of correct linear abstraction. 

Definition 9 (Correct linear abstraction) Let B and ,'^{A) be two moduloids of respective 
bases b and ba. Let Q be a cost dioid. Let P = {B,M,I,F) a transition system with M £ ^^^(2) 
and = {^{A),M'^,I'^,F^) be a transition system over the abstract domain, with G -^h^h^iQ)- 
Let Oi be a linear mapping from B to ^{A). The triple (P,P'^,a]") is a correct linear abstraction 
from B to g§{A) if the three conditions (1) oi o M < M'^ oa[, (2) {a{o) | a G /} C /* and (3) 
{a{o) I a gF} CF« hold. 

In contrast with Definition [8] where we considered an abstraction function a and stated the 
correctness using its lifted version a, we directly consider here the abstraction function as a 
linear mapping between moduloid^. As a consequence, we will prove a notion of correctness 
that is independent of the way domains are lifted. As far as the global cost is concerned, this 
makes no difference since Lemma [2] remains true for this notion. However, the correctness proof 
is more difficult to achieve for the long-run cost, and will require an additional hypothesis on 
the cost dioid, namely it being selective. 

As the notion of long-run cost can be stated without considering initial and final states, 
in what follows we use the notation of a correct linear abstraction (M,M'','a]") to refer to the 
inequality stated in item (1) of Definition [9l 

Theorem [5] below states that a correct linear abstraction gives an overapproximation of the 
global cost, while Theorem [6] states the same result for the long-run cost. 

Theorem 5 //(M,M»,ar) 

is a correct linear abstraction, then gc{M) < gc{M^). 

Theorem 6 Let Q be a selective cost dioi^. If {M,M^,'a{) is a correct linear abstraction, then 
p{M)<p{M^). 

As mentioned above, proof of Theorem [5] is a direct consequence of Lemma [2j On the contrary, 
proof of Theorem [6] requires four lemmas, whose proofs are given in Appendix. 

Lemma 1 Let {M,M'^,'a\) be a correct linear abstraction and (o"^ , a) €^baxb. Then, we have: 

_e_ Wc.< _e_ Mi^. (2) 

{ceh\at<a[{c)} {aeba\a<ai{a)} 

Lemma [1] is quite straightforward. Its proof consists in developing each member of the correct 
linear abstraction inequality. Lemma [2] is not specific to this section and was borrowed from the 
proof of Theorem [H 

Lemma 2 Let (M,M'',a7) be a correct linear abstraction. Then, for allk> I, (M*^, (M'')*^, a]") is 
a correct linear abstraction. 

^For instance, this can be achieved by applying techniques of Section [6. II on a Galois connection < ^ > A 
^Recall that a dioid is selective if for all a,b, a®b is either a or b 
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Lemma [3] is the core of Theorem [6l It establishes that every cycle of length k of the concrete 
graph represented by M has a corresponding abstract path of the same length k and of higher 
cost. As mentioned above, we will assume that the cost dioid is selective. 

Lemma 3 Let us assume a selective cost dioid Q. Let {M ^M^'Oi) he a correct linear abstraction. 
Then, for all o and k> \, such that M^^ ^ _L and for all of G ba appearing in the vector 
decomposition ofoci{o) on the basis ba, there exists a- <OCi{o) such that M^^^ j ^M'^^. 

Finally, Lemma H] states that for every cycle of length k of the concrete graph M there exists 
a cycle of potentially higher length kr in the abstract graph M'^ and of higher average cost. 

Lemma 4 Let Q be a selective cost dioid. Let {M,M'^, Oi) be a correct linear abstraction. Let 
a eb and k>\ such that M^^ / _L. We note a[{a) = af © • • • © a|. Then, there exist I <j,r<s 
such that: 

7 Discussion and related work 

We have defined a quantitative counterpart of abstract interpretation starting from an opera- 
tional semantics where transitions are labelled with costs of computations. The dioid structure of 
the set of costs allows for defining concrete and abstract semantics as linear operators between 
moduloids. We have presented two abstraction techniques for relating concrete and abstract 
semantics. The first one defines an abstraction function as a linear operator. It is usable for 
simple cases of abstractions, but suffers from a state explosion problem and is not suited for 
reusing standard abstract domains provided by the abstract interpretation literature. The sec- 
ond technique decomposes abstraction into a linear operator and a projection operator, and 
establishes a link between our framework and standard Galois connections. We have shown that 
both techniques provide an over-approximation of concrete cost computations. 

This article follows [IHIE]) where the first abstraction technique was presented. It broadens 
our view of quantitative static analysis by allowing a reuse of classical abstract domains used in 
qualitative static analyses. 

The present work is inspired by the quantitative abstract interpretation framework devel- 
oped by Di Pierro and Wiklicky [llj. We have followed their approach in modeling programs as 
linear operators over a vector space, with the notable technical difference that their operators 
act over a semiring of probabilities whereas ours work with idempotent dioids. In Di Pierro and 
Wiklicky's work, the relation with abstract interpretation is justified by the use of the pseudo- 
inverse of a linear operator, similar to a Galois connection mechanism, enforcing the soundness 
of abstractions. Our approach can be seen as intermediate between their and classical abstract 
interpretation: on one hand, we use residuation theory in order to get a pseudo-inverse for lin- 
ear abstraction functions; on the other hand, we benefit from the partially ordered structure of 
dioids to give guarantees of soundness under the assumption aoM <j)M'^oa, which is a classical 
requirement in abstract interpretation. Another approach for probabilistic abstract interpreta- 
tion has been followed by Monniaux [15] for the analysis of imperative programs containing 
random operators, where the semantics of a program is seen as a mapping between probabil- 
ity distributions. Note however that none of the dioid approach and the probabilistic semiring 
approach can generalise the other one, since there is an inherent contradiction between being a 
ring and a dioid. Reconciling both frameworks would require the definition of a more complex 
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mathematical structure equipped with aU operators, with the difficulty of keeping all the nice 
properties of the initial models. 

Several other works make use of idempotent semirings for describing quantitative aspects of 
computations, namely under the form of constraint semirings [1], particularly under the name 
of soft constraints. These have been used in the field of Quality of Service \10\ I16j. in particular 
with systems modelled by graph rewriting mechanisms [TS]. In all these approaches, the and (8) 
operators of the constraint semiring are used for combining constraints. Among these works, two 
similar approaches deserve a particular attention, since they deal with abstraction mechanisms. 
Aziz [2] makes use of semirings in a mobile process calculus derived from the Ti-calculus, in 
order to model the cost of communicating actions. He also defines a static analysis framework, 
by abstracting "concrete" semirings into abstract semirings of reduced cardinality, and defining 
abstract semiring operators accordingly. Bistarelli et al. [5] define an abstract interpretation 
based framework for abstracting soft constraint satisfaction problems (SCSPs). As in Aziz's 
approach, they get an abstract SCSP by just changing the associated semiring, leaving unchanged 
the remainder of the structure. Concrete and abstract semirings are related by means of a Galois 
insertion, which provides correctness results. A major difference between these approaches and 
ours is that they abstract the semiring and leave the system itself unchanged, while we abstract 
the structures of states and keep the same dioid. 

This paper tackles the problem of the linear operator approach for modelling quantitative 
semantics. Even if we managed to get residuated pairs for translating Galois connection into 
a linear model, the correctness of cost computations for a lifted Galois connection is defined 
only for its linear part, thus forgetting about the final projection. One could argue that this 
correctness is not adequate, since it does not deal with the final abstract semantics but with 
an intermediate one. Recall however that we aim at computing an over-approximation of the 
concrete long-run cost. Thus, the fact that the "exact" abstract semantics is obtained by a 
subsequent projection does not really matter here. 

An interesting avenue for further work would be to relax the correctness criterion so that the 
abstract estimate is "close" to (but not necessarily greater than) the exact quantity. For certain 
quantitative measures, a notion of "closeness" might be of interest, as opposed to the qualitative 
case where static analyses must err on the safe side. 
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A Proof of Proposition [4] 

Proposition 4 Mappings Troaf and Yioi as defined above are such that 71 oOi is residuated 
and Yi°^ is its residual, and thus form a Galois connection between moduloids B and A seen as 
lattices. 

Proof. We first note that Kooci and Yi°^ ^-re monotonic by composition of monotonic map- 
pings. We then shovi^ that (f^oi)o (ttooT) > Id-^: for all a ^ B, 7l(ai{a)) > 'ai{a) because TT 

is extensive. As fi is monotonic and is the residual of oT, we have fi ° ^{'^{<^)) ^ Yii'^i'^)) ^ 

ji 

a. We finally show that (tt o aj) o (yj o i) < Id-^^: as B < _ > ^(A) is a Galois connection, 

'aioyiol{x) = ^ oy\{x) <x for all G A . By applying the monotonic function 71 to each member 
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of this inequahty, we get 7r(ai oyi^x)) < k{x). As x £ A, k{x) =x, which allows us to conclude 
the proof. □ 

B Proof of Theorem [6] 

Lemma 2 Let (M,M*,ar) be a correct linear abstraction and (o"^, a) €^baxb. Then, we have: 

_e_ Wc.< _e_ Mi^. (3) 

{ceh\af<a[{c)} {aeba\a<ai(a)} 

Proof. Let first consider the left member of the correct linear abstraction inequality. 

= 0{c|f79<-ar(c)}^c(7 by definition of OT 

We note in the passing that inequality a" < CCilc) is equivalent to the fact that the element 
a^* S ba appears in the vector decomposition of 'cci{c) over the basis ba. 

We conclude the proof by developing the right member of the inequality: 



®{a\a<m{(y)}^ljta 



□ 



Lemma 3 Let {M,M^, ai) be a correct linear abstraction. Then, for aUk> \, (M*^, (Mt*)^, tti) is 
a correct linear abstraction. 

Proof. We proceed by induction over k. The property holds at rank 1 by hypothesis. If the 
property holds at rank n, it is also established at rank « + 1 by applying property at rank 1 and 
by preservation of the order in a dioid. □ 

Lemma 4 Let Q be a selective cost dioid. Let {MjM^jOCi) be a correct linear abstraction. Then, 
for all a and k>\, such that M^^ 7^ _L and for all af G ba appearing in the vector decomposition 
ofaii^G) on the basis ba af < a^io) ), there exists o] < ar(o') such that j. > M^^^. 

Proof. Let o £b such that M'^^ / _L. We note 'OL\{o) = aj ® • • • © a| the vector decomposition 
of 'ai{o) on the basis ba. 

We apply inequality ([2D to (af,a), . . . , (a|,a), and M'^^. 
As for all /, a belongs to {c|a? < ar(c)}, we get: 

o\a\ cjfcTf fffo-,?,, 

(yla\ as as aSal, 

where m,- denotes the index of the greatest element of the right member of the inequality (recall 
that we demand the dioid to be selective). Thus, for all of, m'^\ , > M^^. □ 
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Lemma 5 Let Q be a selective cost dioid. Let (MjM'^jCCi) be a correct linear abstraction. Let 
a eb and k>\ such that M'^^ ^ ±. We note ^[{o) = af © • • • © a|. Then, there exist I < j,r<s 
such that: 

Proof. Applying LemmaEJ there exist (m,-)i<,-<.v, elements of \l,s\ such that, for all /, m'^\ ^ > 

M^jy. It implies that every edge {of , aj,,) of the graph M^^ has a non-zero cost _L). Every 
vertice of the graph M"*^ restricted to the vertices {aj , . . . , af} has at least one leaving edge. We 
deduce from this that there exists a cycle in this restricted graph. Thus, there is 1 < 7 < ^ such 
that j, > M^fj, . . . , J > M^fj for an appropriate r G |l,i']]. By order preservation, we get: 

aux = M^\ , © . . . <^M^\ , > (M^^)'". 

By definition of the diagonal elements of M**^*", we get that M^^^ ^>aux> {M^craY- We recall that 

the krth power is a monotonic function. Thus, it suffices to apply it to each side of the inequality 
to get the wanted result. □ 
Now, we can establish Theorem [6l 

Proof. By applying Lemma U we get that for each cycle c of M there exists a cycle of 
of higher average cost (^(c") > q{c)). Thus, 

PiM)= q{c)< ® -?(c«)=p(M«). 

c cycle of M c* cycle ofM^ 



□ 



